TechSpot

Cleaning ThinkPoint et. al. help request

Inactive
By NotEnoughSand
Nov 23, 2010
Topic Status:
Not open for further replies.
  1. I'd like to request some assistance with an infection.

    According to StopZilla, the infections are ThinkPoint, Catchme, MicroPlugin, GASF, MalPak.E, Rootkil.TDSS.Gen.3, Boot, Ultimate Defender, lpv4mons, System Polices/Disable Registry Tools, and Cognac.

    Initial symptoms were the installation of Thinkpoint itself (didn't have to download or run executable code), followed by tons of false Hard Drive status reports, reboots if those warnings were closed, and a fake 'check disk' program running. The contents of My Documents were hidden from Windows Explorer, but could still be accessed if the directory was entered manually into the Windows Explorer address line. The Start Menu listed all items in the My Documents Folder, crowding out the program groups that were supposed to be there. Finally, access to many programs was denied, running these would cause a 'hard drive' error which was apparently bogus.

    I've run the 8-step process, except for Malware Bytes. MBAM crashed during its scan, reinstalling and running with AV auto-protect disabled did not fix the crash. I ran Super-Anti Spyware in MBAM's place. I also had to run DDS a second time at the end; I thought it would save its logs as files but apparently I had to copy and save the log files manually. The logs are for the 2nd run as the "9th step."

    Post-8-step symptoms are a greyed-out desktop with no shortcuts. Access to My Documents is restored and the Thinkpoint/Check Disk programs appear to be gone.

    Thanks in advance for any assistance you can provide.


    Logs follow:


    ---------
    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 11/23/2010 at 03:31 AM

    Application Version : 4.34.1000

    Core Rules Database Version : 5904
    Trace Rules Database Version: 3716

    Scan type : Quick Scan
    Total Scan Time : 00:29:50

    Memory items scanned : 615
    Memory threats detected : 0
    Registry items scanned : 542
    Registry threats detected : 1
    File items scanned : 11256
    File threats detected : 4

    Adware.Tracking Cookie
    C:\Documents and Settings\Ken\Cookies\ken@www.stopzilla[3].txt
    C:\Documents and Settings\Ken\Cookies\ken@stopzilla[1].txt

    Malware.Trace
    HKU\S-1-5-21-2843613848-293874205-746590682-1007\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON#SHELL

    Trojan.Agent/Gen-Haote
    C:\PROGRAM FILES\X-COM UFO DEFENSE\UNINSTALL.EXE
    C:\DOCUMENTS AND SETTINGS\KEN\START MENU\PROGRAMS\RESPONSIBILITY COUNTERMEASURES\X-COM UFO DEFENSE\UNINSTALL X-COM UFO DEFENSE.LNK

    -------------------------

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2010-11-23 02:55:04
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 TOSHIBA_MK4026GAX rev.PA102D
    Running: pucmsc6e.exe; Driver: C:\DOCUME~1\Ken\LOCALS~1\Temp\uxryyfoc.sys


    ---- Devices - GMER 1.0.15 ----

    Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

    AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

    ---- EOF - GMER 1.0.15 ----



    --------------------

    DDS (Ver_10-11-10.01) - NTFSx86
    Run by Ken at 4:04:18.72 on 11/23/2010 Tue
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
    Microsoft Windows XP Professional 5.1.2600.3.932.81.1033.18.1023.448 [GMT -6:00]

    AV: Norton AntiVirus *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
    AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
    AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Personal Firewall Plus *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

    ============== Running Processes ===============

    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k eapsvcs
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k dot3svc
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    svchost.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
    C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
    C:\Program Files\Dell Photo AIO Printer 942\dlbubmgr.exe
    C:\Program Files\Dell Photo AIO Printer 942\memcard.exe
    C:\Program Files\Dell Photo AIO Printer 942\dlbubmon.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
    C:\WINDOWS\System32\NOTEPAD.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\Documents and Settings\Ken\My Documents\Downloads\dds.scr
    C:\WINDOWS\system32\conime.exe

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.drudgereport.com/
    uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: ATLAS Toolbar: {3c6301ed-0f78-4af2-8150-d9c052361a8e} - c:\program files\atlas v13\ATLIECP.DLL
    BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
    BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\16.8.0.41\IPSBHO.DLL
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: ATLAS Toolbar: {3c6301ed-0f78-4af2-8150-d9c052361a8e} - c:\program files\atlas v13\ATLIECP.DLL
    TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File
    uRun: [ygpayeohUJ.exe] c:\docume~1\ken\locals~1\temp\ygpayeohUJ.exe
    mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
    mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
    mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
    mRun: [Dell Photo AIO Printer 942] "c:\program files\dell photo aio printer 942\dlbubmgr.exe"
    mRun: [DellMCM] "c:\program files\dell photo aio printer 942\memcard.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    StartupFolder: c:\docume~1\ken\startm~1\programs\startup\2wires~1.lnk - c:\program files\2wire\WebWorks.exe
    IE: &Translate with ATLAS - c:\program files\atlas v13\Atlscript.html
    IE: ATLAS Translation &Editor - c:\program files\atlas v13\AtlscriptEdit.html
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {B7707A72-4355-11D4-82BD-00000EBBEF8D} - c:\program files\atlas v13\Atlscript.html
    IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
    DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
    DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
    Notify: AtiExtEvent - Ati2evxx.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\ken\applic~1\mozilla\firefox\profiles\rdge76fq.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - http:/www.drudgereport.com
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
    FF - prefs.js: keyword.enabled - false
    FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
    FF - plugin: c:\documents and settings\ken\application data\facebook\npfbplugin_1_0_1.dll
    FF - plugin: c:\documents and settings\ken\application data\facebook\npfbplugin_1_0_3.dll
    FF - plugin: c:\documents and settings\ken\application data\mozilla\firefox\profiles\rdge76fq.default\extensions\activegs@freetoolsassociation.com\platform\winnt_x86-msvc\plugins\npActiveGS.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
    FF - plugin: c:\windows\system32\cult3d\NPMCult3DP.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

    ============= SERVICES / DRIVERS ===============

    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1008000.029\SymEFA.sys [2010-1-27 310320]
    R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-11-22 11608]
    R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nav\1008000.029\BHDrvx86.sys [2010-1-27 259632]
    R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1008000.029\cchpx86.sys [2010-1-27 482432]
    R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100312.001\IDSXpx86.sys [2010-3-15 329592]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
    R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [2010-3-31 8576]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-11-22 135336]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-11-22 267944]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-11-22 60936]
    R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\logmein hamachi\hamachi-2.exe [2010-3-30 1107336]
    R2 Norton AntiVirus;Norton AntiVirus;c:\program files\norton antivirus\engine\16.8.0.41\ccSvcHst.exe [2010-1-27 117640]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-26 102448]
    R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
    S2 {09BB444F-B2E2-4009-BAF2-7B727681223E};BuddyVM;\??\c:\program files\vmlaunch\buddyvm.sys --> c:\program files\vmlaunch\BuddyVM.sys [?]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-17 135664]
    S3 EraserUtilDrv10910;EraserUtilDrv10910;\??\c:\program files\common files\symantec shared\eengine\eraserutildrv10910.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilDrv10910.sys [?]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-2-20 38224]
    S3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100315.003\NAVENG.SYS [2010-3-15 84912]
    S3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100315.003\NAVEX15.SYS [2010-3-15 1324720]

    =============== Created Last 30 ================

    2010-11-23 03:57:48 -------- d-----w- c:\windows\system32\NtmsData
    2010-11-23 03:56:19 -------- d-----w- c:\docume~1\ken\applic~1\Avira
    2010-11-23 03:45:07 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-11-23 03:45:06 -------- d-----w- c:\program files\Avira
    2010-11-23 03:45:06 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira
    2010-11-22 23:26:03 -------- d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
    2010-11-16 18:24:37 -------- d-----w- c:\program files\Install Creator
    2010-11-09 00:52:20 -------- d-----w- c:\program files\Audacity
    2010-10-24 10:19:15 -------- d-----w- c:\docume~1\ken\applic~1\Team K17

    ==================== Find3M ====================

    2010-10-03 19:00:55 89680 ----a-w- c:\documents and settings\ken\MSSSerif120.fon
    2010-09-18 17:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53:25 953856 ------w- c:\windows\system32\mfc40u.dll
    2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
    2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
    2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
    2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
    2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll

    ============= FINISH: 4:05:56.15 ===============

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-11-10.01)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume2
    Install Date: 8/31/2005 9:02:57 PM
    System Uptime: 11/23/2010 3:39:57 AM (1 hours ago)

    Motherboard: Dell Computer Corporation | | 0X8957
    Processor: Intel(R) Pentium(R) M processor 1.60GHz | Microprocessor | 1594/133mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 33 GiB total, 0.882 GiB free.
    D: is CDROM ()

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP142: 11/22/2010 5:25:44 PM - Installed STOPzilla. Available with Windows Installer version 1.2 and later.
    RP143: 11/22/2010 9:38:36 PM - Removed STOPzilla. Available with Windows Installer version 1.2 and later.

    ==== Installed Programs ======================

    2Wire Wireless Client
    7-Zip 4.23
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 8.2.5
    Adobe Shockwave Player 11.5
    AdobeR PhotoshopR Album Starter Edition 3.0
    AIM 6
    ALPS Touch Pad Driver
    AOLIcon
    Apple Software Update
    AT&T Yahoo! High Speed Internet Home Networking Installer
    ATI - Software Uninstall Utility
    ATI Control Panel
    ATI Display Driver
    ATLAS Translation Double Pack V13.0
    Audacity 1.2.6
    Avira AntiVir Personal - Free Antivirus
    Banctec Service Agreement
    Broadcom Management Programs 2
    Business Contact Manager for Outlook 2003
    C-Major Audio
    CCleaner
    Conexant D480 MDC V.9x Modem
    Critical Update for Windows Media Player 11 (KB959772)
    CuteFTP 7 Home
    Dangerous Waters
    Dell Driver Reset Tool
    Dell Media Experience
    Dell Photo AIO Printer 942
    Dell Photo Printer 720
    Dell Picture Studio v3.0
    Dell Support Center (Support Software)
    Dell System Restore
    DellSupport
    Desktop Weather by The Weather Channel
    Digital Line Detect
    Empire Earth
    eMusic - 100 Free MP3 offer
    End It All
    Facebook Plug-In
    Fraps
    G23942EN
    GameSpy Arcade
    Get High Speed Internet!
    Google Earth
    Google Update Helper
    GTK+ 2.8.18-1 runtime environment
    HijackThis 2.0.2
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Format SDK (KB902344)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB942288-v3)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    Hyper Lobby Pro Client version 3.8.97
    Install Creator
    Intel(R) PROSet/Wireless Software
    Internal Network Card Power Management
    Internet Explorer Default Page
    IrfanView (remove only)
    IU Windows Authentication Update
    J2SE Runtime Environment 5.0 Update 4
    J2SE Runtime Environment 5.0 Update 6
    Jasc Paint Shop Photo Album
    Jasc Paint Shop Photo Album 5
    Jasc Paint Shop Pro 8 Dell Edition
    Jasc Paint Shop Pro Studio, Dell Editon
    Java 2 Runtime Environment, SE v1.4.2_03
    Java Auto Updater
    Java(TM) 6 Update 18
    JDownloader
    K-Lite Mega Codec Pack 1.53
    Learn2 Player (Uninstall Only)
    Logitech Gaming Software
    LogMeIn Hamachi
    LwAmi v3.09 Modification
    Macromedia Flash Player
    Malwarebytes' Anti-Malware
    mCore
    mDriver
    mDrWiFi
    mHlpDell
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Professional Plus 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Plus! Digital Media Edition Installer
    Microsoft Plus! Photo Story 2 LE
    Microsoft Silverlight
    Microsoft Software Update for Web Folders (English) 12
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    mIWA
    mLogView
    mMHouse
    Modem Helper
    Mozilla Firefox (3.6.12)
    mPfMgr
    mPfWiz
    mProSafe
    mSCfg
    mSSO
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6.0 Parser
    Musicmatch for Windows Media Player
    MusicmatchR Jukebox
    mWlsSafe
    mWMI
    MyWay Search Assistant
    mZConfig
    NetWaiting
    Norton AntiVirus
    Notebook Hardware Control 2.0 Pre-Release-06 Bugfix
    Nvu 1.0
    OGA Notifier 2.0.0048.0
    Photo Click
    PowerDVD 5.5
    QuickBooks Simple Start Special Edition
    QuickSet
    QuickTime
    RealPlayer
    RGSS-RTP Standard
    RPG Maker VX RTP
    RPGXP
    RPGツクール2000 ランタイムパッケージ
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2289158)
    Security Update for 2007 Microsoft Office System (KB2344875)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft Office Access 2007 (KB979440)
    Security Update for Microsoft Office Excel 2007 (KB2345035)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office Outlook 2007 (KB2288953)
    Security Update for Microsoft Office PowerPoint 2007 (KB982158)
    Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
    Security Update for Microsoft Office Publisher 2007 (KB982124)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Security Update for Step By Step Interactive Training (KB898458)
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Internet Explorer 7 (KB928090)
    Security Update for Windows Internet Explorer 7 (KB929969)
    Security Update for Windows Internet Explorer 7 (KB931768)
    Security Update for Windows Internet Explorer 7 (KB933566)
    Security Update for Windows Internet Explorer 7 (KB937143)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB939653)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 7 (KB972260)
    Security Update for Windows Internet Explorer 7 (KB974455)
    Security Update for Windows Internet Explorer 7 (KB976325)
    Security Update for Windows Internet Explorer 7 (KB978207)
    Security Update for Windows Internet Explorer 7 (KB982381)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 10 (KB911565)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows Media Player 10 (KB936782)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981349)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    Sonic DLA
    Sonic RecordNow Audio
    Sonic RecordNow Copy
    Sonic RecordNow Data
    Sonic Update Manager
    SUPERAntiSpyware Free Edition
    TBS WMP Plug-in
    TeamSpeak 2 RC2
    The Weather Channel Desktop 6
    TortoiseSVN 1.6.11.20210 (32 bit)
    Trillian
    ubi.com
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Outlook 2007 Junk Email Filter (KB2443839)
    Update for Windows Internet Explorer 7 (KB976749)
    Update for Windows Internet Explorer 7 (KB980182)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB982632)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    VLC media player 1.0.1
    WebFldrs XP
    Winamp (remove only)
    Windows Genuine Advantage Notifications (KB905474)
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Live OneCare safety scanner
    Windows Media Format 11 runtime
    Windows Media Player 10
    Windows Media Player 11
    Windows XP Service Pack 3
    WinRAR archiver
    WinZip
    Xfire (remove only)
    YOU DON'T KNOW JACK Volume 2

    ==== Event Viewer Messages From Past Week ========

    11/23/2010 3:43:22 AM, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    11/23/2010 3:43:01 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.
    11/23/2010 2:07:32 AM, error: Service Control Manager [7034] - The SupportSoft Sprocket Service (dellsupportcenter) service terminated unexpectedly. It has done this 1 time(s).
    11/23/2010 2:07:31 AM, error: Service Control Manager [7034] - The NICCONFIGSVC service terminated unexpectedly. It has done this 1 time(s).
    11/23/2010 2:07:31 AM, error: Service Control Manager [7034] - The LogMeIn Hamachi 2.0 Tunneling Engine service terminated unexpectedly. It has done this 1 time(s).
    11/23/2010 2:07:31 AM, error: Service Control Manager [7034] - The Intel(R) PROSet/Wireless Registry Service service terminated unexpectedly. It has done this 1 time(s).
    11/23/2010 2:07:30 AM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    11/23/2010 2:07:30 AM, error: Service Control Manager [7034] - The Intel(R) PROSet/Wireless SSO Service service terminated unexpectedly. It has done this 1 time(s).
    11/23/2010 2:07:30 AM, error: Service Control Manager [7034] - The Intel(R) PROSet/Wireless Service service terminated unexpectedly. It has done this 1 time(s).
    11/23/2010 2:07:29 AM, error: Service Control Manager [7034] - The Intel(R) PROSet/Wireless Event Log service terminated unexpectedly. It has done this 1 time(s).
    11/23/2010 2:07:29 AM, error: Service Control Manager [7034] - The Ati HotKey Poller service terminated unexpectedly. It has done this 1 time(s).
    11/22/2010 9:38:16 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the szserver service.
    11/22/2010 5:32:10 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: IntelIde sptd
    11/22/2010 5:18:57 PM, error: Service Control Manager [7034] - The Smart Card service terminated unexpectedly. It has done this 1 time(s).
    11/22/2010 5:18:57 PM, error: Service Control Manager [7034] - The LexBce Server service terminated unexpectedly. It has done this 1 time(s).
    11/21/2010 6:51:02 AM, error: SideBySide [61] - Syntax error in manifest or policy file "C:\Program Files\Apple Software Update\Plugins\MSIInstallPlugin.dll.Manifest" on line 2. The required attribute version is missing from element assemblyIdentity.
    11/21/2010 6:51:02 AM, error: SideBySide [61] - Syntax error in manifest or policy file "C:\Program Files\Apple Software Update\Plugins\EXEInstallPlugin.dll.Manifest" on line 2. The required attribute version is missing from element assemblyIdentity.
    11/21/2010 6:51:02 AM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Apple Software Update\Plugins\MSIInstallPlugin.dll.Manifest. Reference error message: The operation completed successfully. .
    11/21/2010 6:51:02 AM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Apple Software Update\Plugins\EXEInstallPlugin.dll.Manifest. Reference error message: The operation completed successfully. .
    11/21/2010 6:51:02 AM, error: SideBySide [58] - Syntax error in manifest or policy file "C:\Program Files\Apple Software Update\Plugins\MSIInstallPlugin.dll.Manifest" on line 2.
    11/21/2010 6:51:02 AM, error: SideBySide [58] - Syntax error in manifest or policy file "C:\Program Files\Apple Software Update\Plugins\EXEInstallPlugin.dll.Manifest" on line 2.
    11/20/2010 1:05:37 AM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer HOME-9BEBA76B7F that believes that it is the master browser for the domain on transport NetBT_Tcpip_{459CF2DB-DA0. The master browser is stopping or an election is being forced.
    11/18/2010 2:18:31 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.
    11/17/2010 2:49:03 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Netman service.
    11/16/2010 11:22:38 PM, error: System Error [1003] - Error code 00000024, parameter1 001902fe, parameter2 f7c76940, parameter3 f7c7663c, parameter4 f765f018.
    11/16/2010 11:20:32 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: sptd
    11/16/2010 11:20:25 PM, error: Service Control Manager [7000] - The Machine Debug Manager service failed to start due to the following error: The system cannot find the file specified.
    11/16/2010 11:20:25 PM, error: Service Control Manager [7000] - The BuddyVM service failed to start due to the following error: The system cannot find the path specified.

    ==== End Of File ===========================
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Welcome to TechSpot! I'll help with the malware.
    About this:
    Each program has instructions about the log that is produced. Most commonly, it copies to Notepad and you paste it in the thread. I don't have enough information from you though about exactly what your problem was.

    Stopzilla is certainly pronouncing the system with a multitude of Malware! I'm not going to take the word of it though and prefer to see the evidence for myself.

    But here is a significant problem: Multiple firewalls and antivirus programs:
    AV: Norton AntiVirus *On-access scanning disabled* (Outdated)
    AV: AntiVir Desktop *On-access scanning disabled* (Updated)
    AV: McAfee VirusScan *On-access scanning disabled* (Updated)
    FW: McAfee Personal Firewall Plus *enabled*


    You should have only one firewall and one antivirus program on the system. Multiple FW and/or AV cause a system to be more vulnerable, not less. So the first thing you need to do is get down to one of each and uninstall the others. Here are some tools to help:
    • Norton Removal Tool
    • McAfee Removal
    • Avira Removal:
      [o] Start> Settings> Control Panel> Add or Remove Programs (Windows 2000/ XP) or Start - Control Panel - Uninstall a program (Windows Vista / 7)
      [o] Wait for the list of installed programs to load, then click the name of the Avira program.
      [o] Click Remove next to the program's name (Windows 2000 / XP) or in the menu above the list (Windows Vista / 7).
      [o] Press Yes, to confirm the removal and then OK.
      [o] Click Next until Finish. The software is removed.
    Please reboot the computer after handling the above.
    =========================================
    For Malwarebytes:Please download randmbam.exe
    It will try to create random names and shortcuts for Malwarebytes Anti Malware(MBAM) if you have it installed already. Once done, try running a scan again
    ========================================
    Let see what you picked up with the multiple FW and AV:

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    ==========================================
    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    =====================================
    Note: I see these entries in installed programs:
    RPG Maker VX RTP
    RPGXP
    RPGツクール2000 ランタイムパッケージ

    Do you have another language other than English on the system?

    You have multiple outdated versions of Java on the system> another vulnerability. I will have you run a program to remove them all, then have you update to current version.

    One other thing to bring to your attention: you are basically out of free space on the hard drive:
    C: is FIXED (NTFS) - 33 GiB total, 0.882 GiB free.

    Important
    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
     
  3. NotEnoughSand

    NotEnoughSand TS Rookie Topic Starter

    I'm going to post before completing everything because of multiple restarts on the process.

    I've removed McAfee and Norton, leaving Avira for now.
    MBAM is still crashing even with the random link. I hope you aren't confusing the program crashing with ThinkPoint/ScanDisk preventing it from starting. I got around the later by just attempting it until it ran. Here is the crash report.

    AppName: 627123645627.exe AppVer: 1.46.0.1 ModName: mbam.dll
    ModVer: 1.46.0.0 Offset: 0001fffe


    ESET log:

    ESETSmartInstaller@High as downloader log:
    all ok
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=e2a4c04404ae8340be67709b9b876e52
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-11-23 08:16:40
    # local_time=2010-11-23 02:16:40 (-0600, Central Standard Time)
    # country="United States"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 52612251 52612251 0 0
    # compatibility_mode=1797 16775141 100 93 0 26960188 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=113989
    # found=1
    # cleaned=0
    # scan_time=4560
    C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP142\A0024836.exe a variant of Win32/Adware.FakeAntiSpy.S application 00000000000000000000000000000000 I


    Combofix step to follow...
     
  4. NotEnoughSand

    NotEnoughSand TS Rookie Topic Starter

    Running Combofix has restored my wallpaper. The contents of the desktop remain hidden from the desktop. This is the only symptom left.

    Am I ready for the java update/removal?

    ComboFix log:

    ComboFix 10-11-23.01 - Ken 3/2010 Tue 15:06:20.4.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.932.81.1033.18.1023.530 [GMT -6:00]
    Running from: c:\documents and settings\Ken\My Documents\Downloads\ComboFix.exe
    AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
    AV: Norton AntiVirus *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\Tasks\At1.job
    c:\windows\Tasks\At10.job
    c:\windows\Tasks\At11.job
    c:\windows\Tasks\At12.job
    c:\windows\Tasks\At13.job
    c:\windows\Tasks\At14.job
    c:\windows\Tasks\At15.job
    c:\windows\Tasks\At16.job
    c:\windows\Tasks\At17.job
    c:\windows\Tasks\At18.job
    c:\windows\Tasks\At19.job
    c:\windows\Tasks\At2.job
    c:\windows\Tasks\At20.job
    c:\windows\Tasks\At21.job
    c:\windows\Tasks\At22.job
    c:\windows\Tasks\At23.job
    c:\windows\Tasks\At24.job
    c:\windows\Tasks\At3.job
    c:\windows\Tasks\At4.job
    c:\windows\Tasks\At5.job
    c:\windows\Tasks\At6.job
    c:\windows\Tasks\At7.job
    c:\windows\Tasks\At8.job
    c:\windows\Tasks\At9.job

    .
    ((((((((((((((((((((((((( Files Created from 2010-10-23 to 2010-11-23 )))))))))))))))))))))))))))))))
    .

    2010-11-23 18:52 . 2010-11-23 18:52 -------- d-----w- c:\program files\ESET
    2010-11-23 03:57 . 2010-11-23 07:24 -------- d-----w- c:\windows\system32\NtmsData
    2010-11-23 03:56 . 2010-11-23 03:56 -------- d-----w- c:\documents and settings\Ken\Application Data\Avira
    2010-11-23 03:45 . 2010-08-02 22:10 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-11-23 03:45 . 2010-08-02 22:10 126856 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2010-11-23 03:45 . 2010-06-17 21:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2010-11-23 03:45 . 2010-06-17 21:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2010-11-23 03:45 . 2010-11-23 03:45 -------- d-----w- c:\program files\Avira
    2010-11-23 03:45 . 2010-11-23 03:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2010-11-22 23:26 . 2010-11-23 03:39 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
    2010-11-16 18:24 . 2010-11-16 19:30 -------- d-----w- c:\program files\Install Creator
    2010-11-09 00:52 . 2010-11-09 00:52 -------- d-----w- c:\program files\Audacity

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-11-22 23:47 . 2010-03-27 16:57 22528 ----a-w- c:\windows\system32\drivers\nhcDriver.sys
    2010-10-03 19:00 . 2005-10-30 18:22 89680 ----a-w- c:\documents and settings\Ken\MSSSerif120.fon
    2010-09-18 17:23 . 2004-08-11 22:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53 . 2004-08-11 22:00 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53 . 2004-08-11 22:00 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53 . 2004-08-11 22:00 953856 ------w- c:\windows\system32\mfc40u.dll
    2010-09-10 05:58 . 2004-08-11 22:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-09-10 05:58 . 2004-08-11 22:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-09-10 05:58 . 2004-08-11 22:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-09-01 11:51 . 2004-08-11 22:00 285824 ----a-w- c:\windows\system32\atmfd.dll
    2010-08-31 13:42 . 2004-08-11 22:00 1852800 ----a-w- c:\windows\system32\win32k.sys
    2010-08-27 08:02 . 2004-08-11 22:00 119808 ----a-w- c:\windows\system32\t2embed.dll
    2010-08-27 05:57 . 2004-08-11 22:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
    2010-08-26 13:39 . 2005-08-25 09:35 357248 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-08-26 12:52 . 2009-04-17 15:57 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
    @="{C5994560-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
    2010-03-21 13:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
    @="{C5994561-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
    2010-03-21 13:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
    @="{C5994562-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
    2010-03-21 13:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
    @="{C5994563-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
    2010-03-21 13:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
    @="{C5994564-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
    2010-03-21 13:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
    @="{C5994565-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
    2010-03-21 13:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
    @="{C5994566-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
    2010-03-21 13:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
    @="{C5994567-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
    2010-03-21 13:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
    @="{C5994568-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
    2010-03-21 13:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-11 344064]
    "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
    "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
    "Dell Photo AIO Printer 942"="c:\program files\Dell Photo AIO Printer 942\dlbubmgr.exe" [2005-04-28 294912]
    "DellMCM"="c:\program files\Dell Photo AIO Printer 942\memcard.exe" [2004-07-27 262144]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-09-24 40368]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-02 281768]
    "dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]

    c:\documents and settings\Ken\Start Menu\Programs\Startup\
    2WireSetup.lnk - c:\program files\2Wire\WebWorks.exe [2009-4-17 626688]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
    @="FSFilter Activity Monitor"

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
    backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ymetray.lnk
    backup=c:\windows\pss\ymetray.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
    2005-06-07 04:46 57344 ----a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2010-09-24 09:15 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
    2008-10-31 19:22 50480 ----a-w- c:\program files\AIM6\aim6.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
    2005-01-31 21:35 155648 ----a-w- c:\program files\Apoint\Apoint.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
    2008-08-13 23:32 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
    2005-01-27 06:02 86016 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
    2005-02-23 21:19 53248 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
    2005-08-29 18:51 629872 ----a-w- c:\program files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW6]
    2010-04-16 16:25 818288 ----a-w- c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
    2004-07-27 21:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
    2004-07-27 21:50 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
    2004-09-14 13:50 53248 ----a-w- c:\program files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2007-02-16 14:54 282624 ----a-w- c:\program files\QuickTime\qttask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
    2006-09-21 13:08 214448 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
    2010-02-18 21:40 2012912 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2006-09-21 13:08 185784 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Trillian\\trillian.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\AIM6\\aim6.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 9:25 AM 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 9:15 AM 66632]
    R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [3/31/2010 4:48 AM 8576]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/22/2010 9:45 PM 135336]
    R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [3/30/2010 10:16 AM 1107336]
    R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2/20/2010 10:41 PM 38224]
    S0 sptd;sptd;c:\windows\system32\Drivers\sptd.sys --> c:\windows\system32\Drivers\sptd.sys [?]
    S2 {09BB444F-B2E2-4009-BAF2-7B727681223E};BuddyVM;\??\c:\program files\VMLaunch\BuddyVM.sys --> c:\program files\VMLaunch\BuddyVM.sys [?]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/17/2010 11:14 AM 135664]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 9:15 AM 12872]

    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - MBAMSWISSARMY
    *Deregistered* - IDSxpx86
    *Deregistered* - SymEvent
    .
    Contents of the 'Scheduled Tasks' folder

    2010-11-21 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 22:13]

    2010-11-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-17 17:14]

    2010-11-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-17 17:14]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.drudgereport.com/
    uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
    IE: &Translate with ATLAS - c:\program files\ATLAS V13\Atlscript.html
    IE: ATLAS Translation &Editor - c:\program files\ATLAS V13\AtlscriptEdit.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\Ken\Application Data\Mozilla\Firefox\Profiles\rdge76fq.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - http:/www.drudgereport.com
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
    FF - prefs.js: keyword.enabled - false
    FF - plugin: c:\documents and settings\Ken\Application Data\Facebook\npfbplugin_1_0_1.dll
    FF - plugin: c:\documents and settings\Ken\Application Data\Facebook\npfbplugin_1_0_3.dll
    FF - plugin: c:\documents and settings\Ken\Application Data\Mozilla\Firefox\Profiles\rdge76fq.default\extensions\activegs@freetoolsassociation.com\platform\WINNT_x86-msvc\plugins\npActiveGS.dll
    FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
    FF - plugin: c:\windows\SYSTEM32\Cult3D\NPMCult3DP.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .
    - - - - ORPHANS REMOVED - - - -





    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-11-23 15:13
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-2843613848-293874205-746590682-1007\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(896)
    c:\program files\SUPERAntiSpyware\SASWINLO.dll
    c:\windows\system32\WININET.dll
    c:\windows\system32\Ati2evxx.dll
    .
    Completion time: 2010-11-23 15:16:41
    ComboFix-quarantined-files.txt 2010-11-23 21:16
    ComboFix2.txt 2010-06-11 00:34
    ComboFix3.txt 2010-02-24 04:40

    Pre-Run: 729,120,768 bytes free
    Post-Run: 707,641,344 bytes free

    - - End Of File - - 1C36AEF1993C3BE1D0C2F973A31A903D
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I don't want any crash reports. The Eset log only show malware in a restore point. It's not active in your system. When I get the logs from the programs I asked you to run, we'll continue.

    Please disable Stopzilla for now. I'm trying to figure out why I got 5 email notices of your reply!
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Fix the above please.

    Edit: That mens uninstall one of the AV programs.
    Will check Combofix log a bit later.
     
  7. NotEnoughSand

    NotEnoughSand TS Rookie Topic Starter

    Sorry about the crash report. I thought you might want to see it because it could reveal the cause of it not working and that rather than waste time waiting for a request I'd just volunteer it.

    At risk of belaboring the obvious, I cannot post the log to MBAM because MBAM crashes.

    I removed Stopzilla (by uninstalling from Add/Remove programs) before beginning the 8-step process. I don't see stopzilla on the Add/Remove list anymore and it does not appear in Program Files. If there are artifacts that are causing trouble, I'll need some information to be able to find and remove them.

    Well, frack. I don't know what the first is, and the 2nd I already did. I'll try again...
    Result: SymNRT.ext - Application Error: The instruction at 0x00404bd9 referenced memory at 0x0000000004. The memory could not be read.


    Lastly, a possible new symptom. I just got a "Dell Support Center Alert" popup notification. I used to get these as legit notices some time ago, but it's been a long time since that's happened, and they looked different. It's probably legit and they just changed the format of the window, but the timing is suspicious.



    UPDATE1652 CentralUS
    I've had success removing Norton. My mistake was not first removing from Add/Remove programs before running the removal utility. The system didn't automatically reboot after and there were some odd error messages after the removal utility finished, so it's possible that it wasn't 100% successful. But it looks like it worked.

    I tried removing and reinstalling MBAM again and it is still crashing. If it helps, the scan is at Windows/system32/vdrme... (window cut off by crash message) when it crashes. I think at this point it's a reasonable hypothesis that the infection disabled/damaged software that MBAM uses and that MBAM will not work until the damage is diagnosed and repaired. Either that or the latest update of MBAM just doesn't work and we have to wait for them to fix it.

    NEW SYMPTOM: I've been getting messages that I lack 'system resources' to run programs like MBAM, which has been solved with reboots. Firefox has also been locking up in a way it never used to.
     
  8. NotEnoughSand

    NotEnoughSand TS Rookie Topic Starter

    Well, I hope everyone had a good Thanksgiving (if US).
    Hopefully after the lull it's OK to give a bump.

    Status at this time:
    -Desktop icons problem fixed
    *Experiencing glitches. Windows become transparent, text becomes horizontal lines, the word "start" disappears from the start button. I'll try to update this with error messages next time it happens.
    *MBAM still crashes during scan, despite being removed and reinstalled.

    Please let me know how we should proceed, in particular what can be done to solve or circumvent the MBAM issue.
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I started this last night then fell asleep at the computer=======

    Oh my! How did you get so far away! The most critical thing you need to address is the lack of hard drive 'space'. That means if you want to run the system at all, you will need to remove as much as you can from the hard drive and stop Startups to free up RAM.

    I can help you with that by using script to run through Combofix if you would like.

    I have 2 questions about entries to include:
    There are several entries loading for the Ajax translation toolbar. Do you need this to start on boot and run all the time in the background?
    There is an abundance of entries for the Tortoise Overlay. Do you need these to start on boot and continued to run in the background??

    You need to accomplish 2 things before trying to go further:
    Free up hard drive 'space'
    Stop processes you don't need running to leave the system with available RAM.

    Until these are done, there is no point in trying to go further
     
  10. NotEnoughSand

    NotEnoughSand TS Rookie Topic Starter

    No and no.
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    First Step:
    You will need to take processes off of Startup for everything except Avira related processes, ALPS Touch Pad Driver related processes. To do that:
    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
    To remove entries from Startup using the msconfig utility:
    • Click on Start> Run> type in msconfig> enter>
    • Click on Selective Startup
    • Choose the Startup tab:
      This is where you UNCHECK the Startup items. This does not remove the item or uninstall anything> it just stops it from starting on boot. It can be rechecked at any time if wanted.
    • To expand the Command Column, (this shows what the process 'belongs' to) hold left mouse button down on the dividing line on frame above Location and move to the right to expand.
    • Uncheck all processes related to the following:
      ATLAS Translation Double Pack V13.0
      Banctec Service Agreement
      Dell Driver Reset Tool
      Dell Media Experience
      Dell Photo AIO Printer 942
      Dell Photo Printer 720
      Dell Picture Studio v3.0
      Dell Support Center (Support Software)
      DellSupport
      Desktop Weather by The Weather Channel
      Empire Earth
      eMusic - 100 Free MP3 offer
      Fraps
      G23942EN
      GameSpy Arcade
      Get High Speed Internet!
      Google Earth
      Google Update Helper
      GTK+ 2.8.18-1 runtime environment
      HijackThis 2.0.2
    • Click on Apply> OK when finished.
    (Note 1: Include Dell AIO, Dell Support Center, games, media players, Adobe Reader & photo, Java in the unchecking)
    NOTE 2:
    When you reboot the system the first time after making changes using the msconfig utility, a nag message comes up that can be ignored and closed after checking 'don't show this message again.'
    Once you make changes to the Startup menu, you must remain in Selective Startup to retain those changed. If you go back to Normal Startup, everything you unchecked will be checked again and start on boot.

    Go to Add/Remove Programs in the Control Panel and uninstall as many programs & apps as you can do without. Please include uninstall of Java v5u4, v6u17, v6u18If you want to save any, use Windows Explorer to find the program folder, set up a new folder to move these program into making sure the executable file is included. Then do a right click on the older> Send to> compress (zip) it. Use something like Direct CD to move the folder to a CD.

    After the uninstall: Right click on Taskbar> Explore> My Computer> Local Drive (C)> Programs> find the folder for each uninstall and do a Right Click> Delete.
    ====================================
    Download HijackThis and save to your desktop.
    • Extract it to a directory on your hard drive called c:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
     
     
  12. NotEnoughSand

    NotEnoughSand TS Rookie Topic Starter

    There wasn't that much that wasn't already unchecked at msconfig.

    I was more comfortable removing programs with the Dell label, so several programs were purged. Got a little too aggressive and accidentally took out an audio driver while I was at it, but I fixed it. It didn't appear to free up much space though. I think the majority of my drive space disappeared when I installed .NET Framework updates and Windows Service Packs. If there's a safe way to trim that down, I'm all ears. But at least with .NET my understanding is that you're supposed to hold on to the older stuff or risk messing up the whole thing.


    Of the 3 Java programs you mentioned specifically, v6u17 was not present.

    I am being prompted to download Java v6u22. Should I grab that now or hold off?


    HiJackThis log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 3:29:14 PM, on 12/20/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
    C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\WINDOWS\System32\NOTEPAD.EXE
    C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\ntvdm.exe
    C:\WINDOWS\system32\notepad.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: ATLAS Toolbar - {3C6301ED-0F78-4AF2-8150-D9C052361A8E} - C:\Program Files\ATLAS V13\ATLIECP.DLL
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O3 - Toolbar: ATLAS Toolbar - {3C6301ED-0F78-4AF2-8150-D9C052361A8E} - C:\Program Files\ATLAS V13\ATLIECP.DLL
    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - Startup: 2WireSetup.lnk = C:\Program Files\2Wire\WebWorks.exe
    O8 - Extra context menu item: &Translate with ATLAS - C:\Program Files\ATLAS V13\Atlscript.html
    O8 - Extra context menu item: ATLAS Translation &Editor - C:\Program Files\ATLAS V13\AtlscriptEdit.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: ATLAS Translation - {B7707A72-4355-11D4-82BD-00000EBBEF8D} - C:\Program Files\ATLAS V13\Atlscript.html
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
    O15 - ESC Trusted Zone: http://*.update.microsoft.com
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.112.159,85.255.112.16
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: dlbu_device - Dell - C:\WINDOWS\system32\dlbucoms.exe
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Machine Debug Manager (MDM) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (file missing)
    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

    --
    End of file - 7002 bytes
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay yo go ahead on this:
    Check this site .Java Updates

    Did you understand that when I had you uncheck processes using the msconfig utility that it just took the processes off of start up, but did not uninstall them? So any you unchecked by mistake could just be checked again. The list I left was taken from processes showing loading on Start in msconfig.

    If you do not use any of the programs you unchecked, then]/b] they should be uninstalled in Add/remove Programs and the program folder deleted in Windows explorer.

    The HJT you ran is v2.0.2. The link I gave you was for the current version v2.0.4.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.